Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 709926

Summary: net-analyzer/zabbix: last rites have been cancelled without fixing underlying vulnerabilities
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: Gentoo Quality Assurance Team <qa>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, alicef, fordfrog, patrick, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=629882
https://bugs.gentoo.org/show_bug.cgi?id=629884
Whiteboard:
Package list:
Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-02-17 08:09:09 UTC 
On 2019-10-27 net-analyzer/zabbix was last rited for numerous issues.

The same day it was unmasked:

commit 19dd5997386e9e659591df87d1b6f6930058458e
Author:     Patrick Lauer <patrick@gentoo.org>
AuthorDate: 2019-10-27 14:02:22 +0100
Commit:     Patrick Lauer <patrick@gentoo.org>
CommitDate: 2019-10-27 14:03:57 +0100

    profiles/package.mask: drop zabbix mask
    
    Signed-off-by: Patrick Lauer <patrick@gentoo.org>


However, the underlying issues (including security issues, that are confirmed not to be fixed) are still open.  The maintainer has made exactly one commit to the package (on the same day), the co-maintainer hasn't done any commits.

I'd like to propose that we last rite it again, and issue an official warning to Patrick that blocking package removal without actually fixing bugs / starting to maintain them is not acceptable.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-02-17 09:38:28 UTC 
QA, please vote on the following motion:

---
net-analyzer/zabbix will be masked for security issues.  If anyone wishes to unmask, he/she must at the very least resolve *all* security bugs and review the remaining bugs.

Patrick Lauer is issued a warning not to unmask packages unless he is actually going to perform the necessary work.  This applies both to zabbix and other packages masked in the future.
---
Comment 2 David Seifert gentoo-dev 2020-02-17 10:36:19 UTC 
(In reply to Michał Górny from comment #1)
> QA, please vote on the following motion:
> 
> ---
> net-analyzer/zabbix will be masked for security issues.  If anyone wishes to
> unmask, he/she must at the very least resolve *all* security bugs and review
> the remaining bugs.
> 
> Patrick Lauer is issued a warning not to unmask packages unless he is
> actually going to perform the necessary work.  This applies both to zabbix
> and other packages masked in the future.
> ---

I vote yes
Comment 3 Ulrich Müller gentoo-dev 2020-02-17 11:02:17 UTC 
I vote yes.

(Though I don't know why we must actually vote on this, the security team has the capacity to just mask the package.)
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-02-17 11:39:28 UTC 
I vote yes.
Comment 5 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-02-17 17:51:26 UTC 
I vote yes.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2020-02-17 19:34:13 UTC 
I vote yes.
Comment 7 Miroslav Šulc gentoo-dev 2020-02-23 10:44:11 UTC 
jfyi, i'm working on fixing all the issues, have already something ready, just need to finetune it and test it.
Comment 8 Larry the Git Cow gentoo-dev 2020-02-28 15:02:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9dd83ba9636be855abf97ac682cd55be731f0ce2

commit 9dd83ba9636be855abf97ac682cd55be731f0ce2
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-02-28 15:01:10 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-02-28 15:02:00 +0000

    net-analyzer/zabbix: bumps + security fixes + rewritten + removed obsolete
    
    1) many changes and improvements
    2) config directory and files are not writeable by zabbix
    3) creation of pid file disabled in zabbix, using s-s-d instead
    
    Bug: https://bugs.gentoo.org/629882
    Bug: https://bugs.gentoo.org/709926
    Bug: https://bugs.gentoo.org/629884
    Closes: https://bugs.gentoo.org/665960
    Closes: https://bugs.gentoo.org/670652
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 net-analyzer/zabbix/Manifest                       |  10 +-
 net-analyzer/zabbix/files/2.2/init.d/zabbix-agentd |  28 -
 net-analyzer/zabbix/files/2.2/init.d/zabbix-proxy  |  27 -
 net-analyzer/zabbix/files/2.2/init.d/zabbix-server |  26 -
 .../zabbix/files/2.2/patches/zbx7479.patch         |  83 ---
 .../zabbix/files/2.2/patches/zbx8151.patch         |  53 --
 net-analyzer/zabbix/files/2.2/zabbix_agent.conf    |  81 ---
 net-analyzer/zabbix/files/2.2/zabbix_agentd.conf   | 278 ---------
 net-analyzer/zabbix/files/2.2/zabbix_proxy.conf    | 519 ----------------
 net-analyzer/zabbix/files/2.2/zabbix_server.conf   | 546 -----------------
 net-analyzer/zabbix/files/3.0/init.d/zabbix-agentd |  28 -
 net-analyzer/zabbix/files/3.0/init.d/zabbix-proxy  |  27 -
 net-analyzer/zabbix/files/3.0/init.d/zabbix-server |  26 -
 net-analyzer/zabbix/files/3.0/zabbix_agent.conf    |  81 ---
 net-analyzer/zabbix/files/3.0/zabbix_agentd.conf   | 390 ------------
 net-analyzer/zabbix/files/3.0/zabbix_proxy.conf    | 674 ---------------------
 net-analyzer/zabbix/files/3.0/zabbix_server.conf   | 635 -------------------
 .../zabbix/files/zabbix-3.0.30-mysql8.patch        |  17 +
 .../zabbix-3.0.30-security-disable-PidFile.patch   |  49 ++
 ...fix.patch => zabbix-4.0.18-modulepathfix.patch} |   0
 .../zabbix-4.0.18-security-disable-PidFile.patch   |  49 ++
 net-analyzer/zabbix/files/zabbix-agentd.init       |  20 +
 net-analyzer/zabbix/files/zabbix-agentd.service    |  10 +-
 .../zabbix-jmx-proxy => zabbix-jmx-proxy.conf}     |   0
 .../zabbix-jmx-proxy => zabbix-jmx-proxy.init}     |   0
 net-analyzer/zabbix/files/zabbix-proxy.init        |  20 +
 net-analyzer/zabbix/files/zabbix-proxy.service     |   8 +-
 net-analyzer/zabbix/files/zabbix-server.init       |  19 +
 net-analyzer/zabbix/files/zabbix-server.service    |  11 +-
 net-analyzer/zabbix/zabbix-2.2.16-r1.ebuild        | 340 -----------
 net-analyzer/zabbix/zabbix-3.0.28.ebuild           | 330 ----------
 .../{zabbix-3.4.15.ebuild => zabbix-3.0.30.ebuild} | 204 ++++---
 net-analyzer/zabbix/zabbix-4.0.13.ebuild           | 332 ----------
 .../{zabbix-4.2.7.ebuild => zabbix-4.0.18.ebuild}  | 207 ++++---
 net-analyzer/zabbix/zabbix-4.4.0-r1.ebuild         | 333 ----------
 .../{zabbix-4.4.5.ebuild => zabbix-4.4.6.ebuild}   | 204 ++++---
 36 files changed, 523 insertions(+), 5142 deletions(-)
Comment 9 Miroslav Šulc gentoo-dev 2020-02-28 15:06:59 UTC 
waiting for review of the security issues, if all is ok will unmask...
Comment 10 Larry the Git Cow gentoo-dev 2020-03-20 10:10:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c13d1a00d3372475df99db6c23a90ad0294a3252

commit c13d1a00d3372475df99db6c23a90ad0294a3252
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2020-03-20 10:08:47 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2020-03-20 10:09:02 +0000

    package.mask: unmasked net-analyzer/zabbix
    
    Bug: https://bugs.gentoo.org/629882
    Bug: https://bugs.gentoo.org/629884
    Bug: https://bugs.gentoo.org/709926
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 profiles/package.mask | 7 -------
 1 file changed, 7 deletions(-)
Comment 11 Miroslav Šulc gentoo-dev 2020-07-08 07:25:55 UTC 
maybe it's a time to close this one?
Comment 12 Miroslav Šulc gentoo-dev 2020-09-28 07:30:49 UTC 
this has been fixed long ago